Intel's BIOS Update - The solution to CPU bugs or a new loophole for hackers?

With Intel, Hackers Check In When Bugs Check Out
By Alexander Wolfe
SANTA CLARA, Calif. -- Intel's BIOS Update technology to quickly fix bugs
that crop up in its microprocessors without having to recall the chips may
contain a Trojan horse -- a hole that could potentially enable hackers to
wreak havoc on the company's CPUs -- said a BIOS expert familiar with the
technology.However, other industry experts said they believe Intel is
staking out a pace-setting position with its bug-busting technology. They
give the semiconductor giant kudos for using BIOS Update to reduce the
impact of bugs in the face of a verification crisis that makes it
increasingly difficult to ensure that microprocessors with tens of millions
of transistors are validated and free of flaws.
BIOS Update is a hidden feature that can fix bugs in Pentium Pro and
Pentium II CPUs by patching the microcode inside the microprocessor. When
the processor boots up, the BIOS loads the patches, which are contained in
a 2,048-byte-long BIOS Update data block that is supplied by Intel. "The
problem is, the BIOS cannot verify whether the BIOS Update data block
contains real microcode or not," claimed one BIOS expert, who requested
anonymity. "As long as the header and the checksum are okay, the BIOS will
load that microcode into the microprocessor. Some hacker could actually
wipe out microcode in the CPU. There is nothing that can prevent this."
Intel doesn't see such a scenario as a realistic threat, pointing to the
fact that the BIOS Update data block is encrypted. "We've spent quite a lot
of time thinking about such scenarios to make sure we had sufficient
mechanisms in place so you couldn't introduce your own flavor of BIOS
Update into the processor," said Ajay Malhortra, a technical marketing
manager based here at Intel's microprocessor group. "Not only is the data
block containing the microcode patch encrypted, but once the processor
examines the header of the BIOS update, there are two levels of encryption
in the processor that must occur before it will successfully load the
update."
But Intel's biggest security feature may lie in keeping the technical
details behind its BIOS Update technology a closely guarded secret. "There
is no documentation," said Frank Binns, an architect in Intel's
microprocessor group. "It's not as if you can get an Intel 'Red Book' with
this stuff written down. It's actually in the heads of less than 10 people
in the whole of Intel."
However, some experts remain unconvinced. "This is just like any other
technology -- if you want to reverse-engineer it, you can," said Ed Curry,
president of Lone Star Evaluation Laboratories, a Georgetown, Texas
microprocessor benchmarking and testing company. "You can do it by brute
force, or a hacker could obtain information from someone inside the company
or someone who had access to the documentation."
Indeed, Curry, who said he's made presentations on computer-security issues
to the U.S. Defense Department, said he believes microprocessor hardware in
general is much more vulnerable to hacking than is commonly believed.
"This is the big hole in our government security programs," he said. "They
don't look at hardware as well as they should; they only look at software.
This goes beyond desktop computers. You have to remember that
microprocessors are now embedded in our weapons systems."
Nevertheless, it's widely believed that it would be tough for a hacker to
fake a complete microcode patch, in no small measure because it's also very
difficult to obtain documentation that details the internal representation
-- word widths and usage of all the bits -- of Pentium Pro microcode. In
the era of the 8086 and 8088, microcode documentation was readily
available. But such information is provided to selected developers only
under tight nondisclosure restrictions. "It's a tightly held secret,"
Intel's Binns said.
New-Tech Jitters
However, it is seen as more feasible for a hacker to successfully fake the
header and checksum portion of the BIOS Update data block -- something that
could still cause the microprocessor to crash or lock up.
According to another BIOS expert, talk of potential Trojan horses might be
nothing more than jitters about new technology. "This is a new thing in the
market," said the expert, who likened it to the early days of flash BIOS.
"There was a great fear factor when the industry started using flash
BIOSes," he said, "where concerns were raised that somebody could go in and
destroy a system by flashing in a new BIOS containing an errant piece of
code. I think today there's a fear that someone will play around with this
BIOS Update feature and try to cause havoc with Intel's CPUs."
As an added security precaution, some BIOS manufacturers limit access to
their software. "As a matter of policy, we don't make our BIOS code
available to anyone other than a system vendor or motherboard
manufacturer," said Thomas Benoit, corporate marketing manager at BIOS
vendor Phoenix Technologies, Natick, Mass. "We don't believe anyone should
be twiddling the bits in our BIOS code."
Irrespective of Trojan horse scenarios, many experts see Intel's
bug-busting technology as a boon. "This feature benefits everyone -- it
shouldn't be viewed as a liability, but as an asset," said Mark Huffman,
marketing manager at American Megatrends, in Norcross, Ga. "It allows you
to be able to update your processor without pulling it out of the system.
Obviously, you can flash in a new BIOS a lot quicker than you can pop the
case, pop the CPU and wait for a replacement."
Indeed, BIOS Update has already been successfully used in the field to fix
glitches in Pentium Pro-class CPUs, according to an Intel spokesman and to
sources at several major BIOS vendors.
"Yes, it is used," said an engineer at one vendor. "I personally know of
five different things in the Pentium Pro related to multiprocessing, system
management interrupt and other areas."
"I think it'll be very useful," Phoenix Technology's Benoit said. "It's
really to Intel's benefit that BIOS vendors are implementing this feature."
"It's a very good feature," said Laurent Gharda, vice president of
marketing at BIOS vendor Award Software International, in Mountain View,
Calif. "The downside is going to be lower performance, perhaps. But the
upside is avoiding a chip recall, as took place a few years ago." Intel's
Pentium was recalled in January 1995 following the revelation of a bug in
the processor's floating-point divide operations.
Moreover, some say BIOS Update may signal the start of an industrywide
trend. "These new Pentium-class clone CPUs that have recently been
announced -- like the Centaur microprocessor -- they're going to do the
same type of process," said Huffman at American Megatrends. Centaur --
officially the IDT-C6 -- is made by Centaur Technology, an Austin,
Texas-based subsidiary of Integrated Device Technology. It was introduced
in May and delivered to beta customers in Taiwan last month.
At Centaur, a spokesman said, "The current silicon we are sampling has that
capability, but in the production version of the chip we are dropping the
feature, because it necessitates an increased die size."
As a result, any bugs that crop up will have to be fixed via a mask
revision -- a path the spokesman described as preferable. "Ideally, you
want to do fixes by mask changes," he said. "That way, you'll have clean
silicon moving forward. Otherwise, you have lots of different versions of
BIOS floating around." But Centaur can easily add the feature back into
future versions, if it wishes.
For its part, Advanced Micro Devices of Sunnyvale, Calif., does not have
the feature in its K5 and K6 microprocessors, according to a company
spokesman. "There are some errata that can't be fixed by a BIOS update --
specifically, a hardwired instruction can't be changed." He added that AMD
has the ability to add the feature into future designs, if it deems it
necessary.
Still, Huffman of American Megatrends thinks the BIOS Update feature has
legs. "I think you'll see a trend toward CPU manufacturers incorporating
this capability so they can perform microcode updates in the field," he
said. "It gives them more flexibility in their manufacturing process --
they can keep their fab lines running and don't have to stop them to make a
mask change and switch to a new stepping every time there's an erratum.
More important, they don't have to recall the stepping that has the bug.
They can just issue a BIOS update."
Intel doesn't tell the BIOS vendors what bugs are being fixed in any given
BIOS Update. However, there appears to be a way to figure that out.
"It's true you can't see what's happening from a binary standpoint," the
BIOS expert who requested anonymity said. "But Intel does release errata
along with the update, which gives an explanation of what the update is
for. To that extent, you know what they're fixing, though you don't know
the exact binary details of what's occurring."
Although the BIOS Update feature is firmly in place in the Pentium Pro and
Pentium II families, Intel declined to comment on whether it is being used
in Pentiums with the MMX multimedia extensions. Looking ahead, deciding
whether to implement the technology in future CPU families will involve
architectural considerations that extend far beyond a desire to bust bugs.
"We're just learning the power this technology really has," Intel's
Malhortra said. "In concert with that, we're also becoming more aware of
some of its limitations. For example, the trade-off between die size that's
used for microcode-patchable space [i.e., for the BIOS Update feature] vs.
die size that can be devoted to performance enhancements or to additional
micro-architectural features is a tough one."
Validation Boost
"One could make the argument that, with improved validation processes,
you won't need to expand silicon real estate devoted to the microcode-patch
feature, because early validation would catch the bulk of problems,"
Malhortra added.
Nevertheless, there's a growing concern that microprocessor bugs could
become a bigger problem as 64-bit CPU architectures -- which will be orders
of magnitude more difficult to validate than current designs -- are
introduced toward the end of the decade.
"It's becoming abundantly clear that the ability to manufacture in high
volume and to provide a reliable product through validation are somewhat
mutually exclusive," Intel's Binns said. "It takes a fairly large amount of
time to wring all the errata out of a processor. Fixing errata by making
changes to silicon is OK, if you can make those changes quickly.
Unfortunately, with the complexity of the processors we've got today,
that's not acceptable. The smarter we can get with features like this, the
less errata we bring to market. And if we do see errata after we ship, we
can correct them in situ."
----- End of forwarded message from Richard Crisp -----